Is a Discord Account Compromised?

Account takeover is the inverse of the usual bot problem. Instead of a fake account built to look human, it’s a real human’s account suddenly being run by someone — or something — else. The account has real history, real friends, a real avatar, a long tenure. Every profile-based check says “trusted member.” And it’s now firing scam links at everyone it knows.

This is why takeover is so effective inside a server: the account’s reputation does the attacker’s work. People click the link because they trust the sender. The defense can’t be “is this account real” — it obviously is. The defense has to be “is this account suddenly behaving differently.”

The signs of a takeover

A hijacked account betrays itself through a change, not a baseline:

• A sudden behavioral break. An account that chatted normally for months abruptly switches to firing links, mass-DMing, or posting in channels it never used. The shift is the signal.
• Machine-like output from a previously human account. Identical messages to many people in seconds, inhuman timing, no typos or conversational variance — automation driving an account that used to behave like a person.
• Off-hours activity spike. A member who was active evenings-only suddenly active at 4am, blasting the same content.
• New authorized apps or sessions the real owner didn’t add (visible to the owner under User Settings → Authorized Apps and Devices).

The tell is always the delta from how that specific account used to behave — which means you can only see it if something was watching the baseline.

What to do right now

If a member’s account is compromised (server side):

1. Timeout the account immediately and delete the scam messages. You’re protecting the rest of the server, not punishing the member — a timeout is reversible.
2. Reach the real person out-of-band — another platform, a mutual friend. Don’t assume the DMs are reaching them; the attacker may be reading them.
3. Tell them the recovery steps (below). Once they’ve recovered, lift the timeout.

If it’s your account (owner side):

1. Change your password — this invalidates stolen tokens, which is what most takeovers rely on.
2. Enable 2FA.
3. Revoke unknown apps and log out other sessions under User Settings → Authorized Apps / Devices.
4. Warn the people the attacker messaged — the links they sent are live traps.

Takeovers usually start with a Nitro scam or a token grabber; if you don’t know how the account was caught, those pages cover the entry points.

Where Gait fits

Gait scores accounts by behavior over time, so a takeover shows up as what it is: a sharp shift in an account’s behavioral pattern. An account that scored as confirmed_human and then abruptly starts producing machine-like output moves toward likely_automated — and the flag arrives with the account’s Discord identity and the reasons, so your moderators can tell the difference between a scammer to ban and a trusted regular whose account was hijacked and needs a warning.

Gait never reads message content (see our privacy approach); it scores the shape of behavior, which is exactly what changes when a person stops driving the account and automation takes over. Because it aggregates across every server running Gait, a takeover spreading the same pattern through multiple communities surfaces faster than any one server would catch it alone.

Related pages

• /threats/nitro-scam
• /threats/token-grabber
• /privacy